mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Merge branch 'bugfix/mdns_security_issues' into 'master'
Bugfix/mdns security issues Fixes a series of security issues with MDNS. STACK-SMASH:dd3f18d2d8/components/mdns/mdns.c (L494)
: The sprintf is not limited. We can execute the sprintf codeflow as many times as we want, allowing arbitrary long data being written into stack. PACKET-OF-DEATH:dd3f18d2d8/components/mdns/mdns.c (L502)
. The compare allows equal, and thus jumping back to it self infinite recursion -> guaranteed crash TXT-SMASH:dd3f18d2d8/components/mdns/mdns.c (L1381)
The loop does not check on reaching a->txt maximum size (1024), resulting in stack overflow. See merge request !576
This commit is contained in:
commit
577290aaba
@ -491,7 +491,7 @@ static const uint8_t * _mdns_read_fqdn(const uint8_t * packet, const uint8_t * s
|
|||||||
&& (strcmp(buf, MDNS_DEFAULT_DOMAIN) != 0)
|
&& (strcmp(buf, MDNS_DEFAULT_DOMAIN) != 0)
|
||||||
&& (strcmp(buf, "ip6") != 0)
|
&& (strcmp(buf, "ip6") != 0)
|
||||||
&& (strcmp(buf, "in-addr") != 0)) {
|
&& (strcmp(buf, "in-addr") != 0)) {
|
||||||
sprintf((char*)name, "%s.%s", name->host, buf);
|
snprintf((char*)name, MDNS_NAME_BUF_LEN, "%s.%s", name->host, buf);
|
||||||
} else if (strcmp(buf, MDNS_SUB_STR) == 0) {
|
} else if (strcmp(buf, MDNS_SUB_STR) == 0) {
|
||||||
name->sub = 1;
|
name->sub = 1;
|
||||||
} else {
|
} else {
|
||||||
@ -499,7 +499,7 @@ static const uint8_t * _mdns_read_fqdn(const uint8_t * packet, const uint8_t * s
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
size_t address = (((uint16_t)len & 0x3F) << 8) | start[index++];
|
size_t address = (((uint16_t)len & 0x3F) << 8) | start[index++];
|
||||||
if ((packet + address) > start) {
|
if ((packet + address) >= start) {
|
||||||
//reference address can not be after where we are
|
//reference address can not be after where we are
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -1182,13 +1182,13 @@ static mdns_service_t * _mdns_create_service(const char * service, const char *
|
|||||||
s->txt = NULL;
|
s->txt = NULL;
|
||||||
s->port = port;
|
s->port = port;
|
||||||
|
|
||||||
s->service = strdup(service);
|
s->service = strndup(service, MDNS_NAME_BUF_LEN - 1);
|
||||||
if (!s->service) {
|
if (!s->service) {
|
||||||
free(s);
|
free(s);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
s->proto = strdup(proto);
|
s->proto = strndup(proto, MDNS_NAME_BUF_LEN - 1);
|
||||||
if (!s->proto) {
|
if (!s->proto) {
|
||||||
free((char *)s->service);
|
free((char *)s->service);
|
||||||
free(s);
|
free(s);
|
||||||
@ -1341,7 +1341,7 @@ static void _mdns_parse_packet(mdns_server_t * server, const uint8_t * data, siz
|
|||||||
(strcmp(name->proto, server->search.proto) != 0)) {
|
(strcmp(name->proto, server->search.proto) != 0)) {
|
||||||
continue;//not searching for service or wrong service/proto
|
continue;//not searching for service or wrong service/proto
|
||||||
}
|
}
|
||||||
sprintf(answer->instance, "%s", name->host);
|
strlcpy(answer->instance, name->host, MDNS_NAME_BUF_LEN);
|
||||||
} else if (type == MDNS_TYPE_SRV) {
|
} else if (type == MDNS_TYPE_SRV) {
|
||||||
if (server->search.host[0] ||
|
if (server->search.host[0] ||
|
||||||
(strcmp(name->service, server->search.service) != 0) ||
|
(strcmp(name->service, server->search.service) != 0) ||
|
||||||
@ -1353,7 +1353,7 @@ static void _mdns_parse_packet(mdns_server_t * server, const uint8_t * data, siz
|
|||||||
continue;//instance name is not the same as the one in the PTR record
|
continue;//instance name is not the same as the one in the PTR record
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
sprintf(answer->instance, "%s", name->host);
|
strlcpy(answer->instance, name->host, MDNS_NAME_BUF_LEN);
|
||||||
}
|
}
|
||||||
//parse record value
|
//parse record value
|
||||||
if (!_mdns_parse_fqdn(data, data_ptr + MDNS_SRV_FQDN_OFFSET, name)) {
|
if (!_mdns_parse_fqdn(data, data_ptr + MDNS_SRV_FQDN_OFFSET, name)) {
|
||||||
@ -1367,15 +1367,19 @@ static void _mdns_parse_packet(mdns_server_t * server, const uint8_t * data, siz
|
|||||||
if (answer->host[0]) {
|
if (answer->host[0]) {
|
||||||
if (strcmp(answer->host, name->host) != 0) {
|
if (strcmp(answer->host, name->host) != 0) {
|
||||||
answer->addr = 0;
|
answer->addr = 0;
|
||||||
sprintf(answer->host, "%s", name->host);
|
strlcpy(answer->host, name->host, MDNS_NAME_BUF_LEN);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
sprintf(answer->host, "%s", name->host);
|
strlcpy(answer->host, name->host, MDNS_NAME_BUF_LEN);
|
||||||
}
|
}
|
||||||
} else if (type == MDNS_TYPE_TXT) {
|
} else if (type == MDNS_TYPE_TXT) {
|
||||||
uint16_t i=0,b=0, y;
|
uint16_t i=0,b=0, y;
|
||||||
while(i < data_len) {
|
while(i < data_len) {
|
||||||
uint8_t partLen = data_ptr[i++];
|
uint8_t partLen = data_ptr[i++];
|
||||||
|
//check if partLen will fit in the buffer
|
||||||
|
if (partLen > (MDNS_TXT_MAX_LEN - b - 1)) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
for(y=0; y<partLen; y++) {
|
for(y=0; y<partLen; y++) {
|
||||||
char d = data_ptr[i++];
|
char d = data_ptr[i++];
|
||||||
answer->txt[b++] = d;
|
answer->txt[b++] = d;
|
||||||
@ -1391,7 +1395,7 @@ static void _mdns_parse_packet(mdns_server_t * server, const uint8_t * data, siz
|
|||||||
continue;//wrong host
|
continue;//wrong host
|
||||||
}
|
}
|
||||||
} else if (!answer->ptr) {
|
} else if (!answer->ptr) {
|
||||||
sprintf(answer->host, "%s", name->host);
|
strlcpy(answer->host, name->host, MDNS_NAME_BUF_LEN);
|
||||||
} else if (strcmp(answer->host, name->host) != 0) {
|
} else if (strcmp(answer->host, name->host) != 0) {
|
||||||
continue;//wrong host
|
continue;//wrong host
|
||||||
}
|
}
|
||||||
@ -1402,7 +1406,7 @@ static void _mdns_parse_packet(mdns_server_t * server, const uint8_t * data, siz
|
|||||||
continue;//wrong host
|
continue;//wrong host
|
||||||
}
|
}
|
||||||
} else if (!answer->ptr) {
|
} else if (!answer->ptr) {
|
||||||
sprintf(answer->host, "%s", name->host);
|
strlcpy(answer->host, name->host, MDNS_NAME_BUF_LEN);
|
||||||
} else if (strcmp(answer->host, name->host) != 0) {
|
} else if (strcmp(answer->host, name->host) != 0) {
|
||||||
continue;//wrong host
|
continue;//wrong host
|
||||||
}
|
}
|
||||||
@ -1534,6 +1538,9 @@ esp_err_t mdns_set_hostname(mdns_server_t * server, const char * hostname)
|
|||||||
if (!server) {
|
if (!server) {
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
|
if (strlen(hostname) > (MDNS_NAME_BUF_LEN - 1)) {
|
||||||
|
return ESP_ERR_INVALID_ARG;
|
||||||
|
}
|
||||||
MDNS_MUTEX_LOCK();
|
MDNS_MUTEX_LOCK();
|
||||||
free((char*)server->hostname);
|
free((char*)server->hostname);
|
||||||
server->hostname = (char *)malloc(strlen(hostname)+1);
|
server->hostname = (char *)malloc(strlen(hostname)+1);
|
||||||
@ -1541,7 +1548,7 @@ esp_err_t mdns_set_hostname(mdns_server_t * server, const char * hostname)
|
|||||||
MDNS_MUTEX_UNLOCK();
|
MDNS_MUTEX_UNLOCK();
|
||||||
return ESP_ERR_NO_MEM;
|
return ESP_ERR_NO_MEM;
|
||||||
}
|
}
|
||||||
sprintf((char *)server->hostname, "%s", hostname);
|
strlcpy((char *)server->hostname, hostname, MDNS_NAME_BUF_LEN);
|
||||||
MDNS_MUTEX_UNLOCK();
|
MDNS_MUTEX_UNLOCK();
|
||||||
return ERR_OK;
|
return ERR_OK;
|
||||||
}
|
}
|
||||||
@ -1551,6 +1558,9 @@ esp_err_t mdns_set_instance(mdns_server_t * server, const char * instance)
|
|||||||
if (!server) {
|
if (!server) {
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
|
if (strlen(instance) > (MDNS_NAME_BUF_LEN - 1)) {
|
||||||
|
return ESP_ERR_INVALID_ARG;
|
||||||
|
}
|
||||||
MDNS_MUTEX_LOCK();
|
MDNS_MUTEX_LOCK();
|
||||||
free((char*)server->instance);
|
free((char*)server->instance);
|
||||||
server->instance = (char *)malloc(strlen(instance)+1);
|
server->instance = (char *)malloc(strlen(instance)+1);
|
||||||
@ -1558,7 +1568,7 @@ esp_err_t mdns_set_instance(mdns_server_t * server, const char * instance)
|
|||||||
MDNS_MUTEX_UNLOCK();
|
MDNS_MUTEX_UNLOCK();
|
||||||
return ESP_ERR_NO_MEM;
|
return ESP_ERR_NO_MEM;
|
||||||
}
|
}
|
||||||
sprintf((char *)server->instance, "%s", instance);
|
strlcpy((char *)server->instance, instance, MDNS_NAME_BUF_LEN);
|
||||||
MDNS_MUTEX_UNLOCK();
|
MDNS_MUTEX_UNLOCK();
|
||||||
return ERR_OK;
|
return ERR_OK;
|
||||||
}
|
}
|
||||||
@ -1655,6 +1665,9 @@ esp_err_t mdns_service_instance_set(mdns_server_t * server, const char * service
|
|||||||
if (!server || !server->services || !service || !proto) {
|
if (!server || !server->services || !service || !proto) {
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
|
if (strlen(instance) > (MDNS_NAME_BUF_LEN - 1)) {
|
||||||
|
return ESP_ERR_INVALID_ARG;
|
||||||
|
}
|
||||||
mdns_srv_item_t * s = _mdns_get_service_item(server, service, proto);
|
mdns_srv_item_t * s = _mdns_get_service_item(server, service, proto);
|
||||||
if (!s) {
|
if (!s) {
|
||||||
return ESP_ERR_NOT_FOUND;
|
return ESP_ERR_NOT_FOUND;
|
||||||
@ -1741,10 +1754,10 @@ uint32_t mdns_query(mdns_server_t * server, const char * service, const char * p
|
|||||||
mdns_result_free(server);
|
mdns_result_free(server);
|
||||||
if (proto) {
|
if (proto) {
|
||||||
server->search.host[0] = 0;
|
server->search.host[0] = 0;
|
||||||
snprintf(server->search.service, MDNS_NAME_MAX_LEN, "%s", service);
|
strlcpy(server->search.service, service, MDNS_NAME_BUF_LEN);
|
||||||
snprintf(server->search.proto, MDNS_NAME_MAX_LEN, "%s", proto);
|
strlcpy(server->search.proto, proto, MDNS_NAME_BUF_LEN);
|
||||||
} else {
|
} else {
|
||||||
snprintf(server->search.host, MDNS_NAME_MAX_LEN, "%s", service);
|
strlcpy(server->search.host, service, MDNS_NAME_BUF_LEN);
|
||||||
server->search.service[0] = 0;
|
server->search.service[0] = 0;
|
||||||
server->search.proto[0] = 0;
|
server->search.proto[0] = 0;
|
||||||
qtype = MDNS_TYPE_A;
|
qtype = MDNS_TYPE_A;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user